Schneier on Security

Clive Robinson • June 25, 2019 7:50 AM

From the MSM link,

According to privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. That’s half of an entire basic wireless service plan from AT&T.

So they are “denying you the rights and privileges pertaining” to the data plan you pay for. Or in easier terms “out right theft”.

It’s time one of these silicon valley companies was prosecuted and say charged one USD for every data packet they sent.

It would help re-skew the balance between them and individuals making pervasive data gathering less profitable.

But the real underlying issue is “lack of control” even though you have purchased a phone you do not own it. In this score both Apple and Google are equally as bad.

For instance with your home computer you can put a firewall on it that you can use to block outbound traffic to various IP addresses. You can also put in a pre-filter to DNS requests such that certain entity names never resolve to anything other than localhost, and further packets sent to an IP address not in the local DNS cache can be blocked or flaged up to the user for approval.

Likewise if you don’t like the “pre-installed” apps on a personal computer you can usually de-instal them or nuke the exe files their code is in.

Trying to get that level of control on iOS or Android is for the average user not realisticaly possible.

As some in the industry know when it came to the early days of “smart pads” Microsoft was threatened by Google if they made any MS OS locked onto a platform. Well both Google and Apple do lock out other OS’s and atleast one of them incessantly “data rapes” the phones user not just every day but every few minutes.

The only solution to this problem is to kill off the DMCA and make “ownership” actually mean what it once did before the EULA nonsense back in the 1970’s and earlier started.

Clive Robinson • June 25, 2019 11:30 AM

@ John,

If you don’t want to be tracked, buy a phone that cannot track you.

As long as they are on, or in use all phones land line, satellite, cordless or mobile give away your position one way or another.

Any attempts with mobile phones to turn them off or “out of range” them by putting them in a RF shielding enclosure will after a very short time show up as repeated anomalous behaviour, that software written over a decade ago would pull out from the service providers logging records as not normal behaviour.

The software also pulled out “limited groups” that is mobile phones that only talk to a very limited number of other mobiles or land line numbers of fast food suppliers etc. That is what some refer to as “cell” behaviour which generally means suspicious or potentially criminal / terrorist thus subject to further investigation.

Interestingly in London some gangs have worked this out from a limited number of high profile cases and thus have adjusted their behaviour accordingly. Likewise high end drugs gangs and presumably other “serious organized crime” groups have adjusted their behaviours.

You can also get hold of equipment (from the US) that can be software modified that alows you to set up fairly wide area mesh VoIP and data networks. With other tricks using mobile phones where you can not just change the supposadly hardwired electronic serial number, but they also alow you to get at the user interface electronically thus potentially remotely, you can do interesting things. One such is use your fake mobile from across the other side of the city or even potentially via the Internet from any where in the world.

It’s a game not to disimilar to the old ECM / ECCM / ECCCM game used by the military with regards radar and missiles. At the end of the day you just have to be technologically smarter thus have an extra “Counter Measure” in your arsenal than those that wish to track you. However as with all OpSec you have to be very very methodical about the way you do such things because one slip will end up recorded in the service providers logs and could come back to haunt you in the future[1]. Few even when their actual lives genuinely do depend on it can get OpSec right 100% of the time…

I beleive it was Al Gore who originally gave voice about the dangers of unclassified information sources that when aggregated could reveal “secret information” and voiced “National Secirity” concerns. Well we now know that the likes of “fitness trackers” and “Social media” geo-tags have done exactly that. But what is true of military personnel is also true of the everyday citizen. Such publicaly available databases represent a very real threat to ordinary individual citizens privacy thus their freedoms from undue surveillance by the State and it’s direct and indirect entities.

The one thing we do know is that “Criminals Evolve” that is the smarter ones learn from the mistakes of others. Likewise terrorists, when an RF sensing missile was modified and killed an individual Russian alledged was a terrorist when he was using a satellite phone. Within a very short time Osama Bin Laden stopped using his satellite phone. Likewise as the US developed similar technology to locate mobile phones from drones to bring down Hellfire missiles the terrorists developed counter measures very quickly. The simplest was to use the phone a few times then give the phone to an innocent individual who got blown up along with their families and other “collateral damage” causing very bad publicity for the operators of drones. However Osama went further and stopped using any kind of RF emitting device and had switched to using “by hand” courriers.

Just remember that some Governments are looking favourably on using similar or identical drones in and around their own borders and we have good reason to believe that certain US Government entities have been using small aircraft to do similar. Because they messed up their OpSec and left the ADSB beacon on (as required by federal law) and got tracked by ordinary “hobbyist” individuals who put up on the Internet flights they thought were odd. Others then traced down registration to shell companies and so on, all because due to poor OpSec they emitted RF energy that got recorded…

There are truisms about people alowing odd things to “nag at them like an aching tooth” and others about “Pulling at loose threads till it all unravels”. These days we have the likes of Palantir employing “big data” to do such searching things fully automatically. Further it’s well within the bounds that this can be done in human terms appears to be “real time”.

[1] Supposadly under law various records kept by the US and other Governments and their entities have to be deleted after a number of years. But as various entities have been caught out in various ways, it’s safe to assume that the law is either being ignored or bypassed in some way. As there are loop holes in the public legislation and some Governments have “secret laws” it’s fairly safe to assume that some “interesting” records will be kept effectively indefinitely within some Government entities. However as the majority of these records are actually “Third Party Business Records”, on which there are no limits on how long these can be kept, and in many cases require little more than a secret letter to gain access to them, I can easily see how the Government could “out source” keeping of such information indefinitely. In fact there have been stories circulating that companies like Palantir Technologies that specializes in big data analytics, which was founded by amongst others Peter Thiel and is hedquatered in Silicon Valley is one such entity doing exactly that…

Clive Robinson • June 25, 2019 6:04 PM

@ Alejandro,

But, for those of us who think that’s a bit extreme, what’s your best practical advice for iOS users?

It depends on who you are protecting yourself against.

The first thing to remember is that any communications device that emmits RF potentially gives your position away.

Yes there are tricks you can do to reduce the “Find, Fix and Finish” issue, but they are mainly based on the assumption of ground level HF Direction Finding (DF or Huff-Duff). That is they are using the “Ground wave” not “line of sight” to find your direction.

At the upper end of the UHF band or bottom end of the Microwave band that mobile phones tend to be in line of sight operating or single reflection operation are assumed.

Thus if you can find yourself a suitable high gain antenna and an advantageous position you can point your signal not at the mobile phone mast but a suitably reflecting object from which it then bounces to a phone mast. This makes the mast think you are somewhere you are not, and if the gain of your antenna is suitably high then the power you radiate is actually automatically reduced. This means first of all you are putting out a lot less power, but that outside of the “main beam” or some “side lobes” your radiated power is reduced a lot lot further. Thus you could end up with a signal that is way to weak to be DF’d in any other direction.

You can also do tricks with “passive repeaters” these are in effect two higg gain antennas connected by a shortish length of low loss cable. A signal received by one antenna will be re-radiated by the other antenna and vice-versa. One trick I’ve used is a high mounted high gain yagi array pointing at the mobile mast with a drop down cable that connects to an inverted omnidirectional colinear antenna at around eight feet off the ground. The effect creates a sort of local hotspot in an otherwise virtually uncovered area. It’s a good way to get a distant home and garden cell coverage in rural “fringe” areas which are all to common these days. Using two high gain yagi’s cross polarized on a tower block can give you using a third yagi on your phone a way of being in an entirely different cell area.

However all of those tricks won’t hide your location if the GPS in your phone is not properly and permanently deactivated (with a skill knife, soldering iron or both). A similar issue exists with both WiFi and Bluetooth. As you probably know Google amongst others has a database of WiFi ID’s and where they are located, so they can track you even with GPS disabled. The advent of “Store tracking by Bluetooth” likewise gives an opportunity to fix your location, and as we’ve seen by Apple’s “find me” any mobile phone within thirty feet of you can see your Bluetooth and “rat you out” location wise through that phone… Oh and don’t forget the NFC system, whilst it’s range appears small, it’s greater than you think when the sensor coils are mounted in a door frame or around the walls of buildings at hip hight.

So ditching the smart phone might be your only option unless you know how to get into it and where to do the required “slice-n-dice” on the PCB’s. At which point much of the functionality of your “smart phone” is gone, but for some users the lack of the “local comms” and GPS is not an issue.

As for the OS and apps side, my view right or wrong is to assume they all have backdoors or spyware attributes unless they can be shown to be otherwise. Whilst Apple do alow some apps to get down low in the stack Google on the otherhand prevents any sort of low level app going into their online repository that might conceivably stop advertising…

The thing is how do you find an app on iOS “innocent” the simple answer is it at best difficult at worst near impossible. The only real way is to get down below the computing stack down to the underlying physical layer that is the GSM communications. Making sense of what you find there requires some interesting professional test equipment that you won’t get much change from 50,000 USD even of you do shop around carefully. However times have changed and professional kit is not your only option these days. There are a number of Software Defined Radio systems that easily cover all the GSM bands, and importantly have hogh end A-D converters and FPGA chips on for realy quite reasonable money. It’s not that difficult for those sufficiently knowledgable to find software online that can turn these SDR cards into nano/femto cell towers. You can therefore using one of the SDR cards and a high end PC get the iPhone to use the cell to communicate with.

Then it’s a matter of playing the waiting game to see if unexpected data appears on the interface. The problem is that a spyware app could in some cases not send data without being triggered in some way and only then downloading the data it has accumulated.

But an app does not even have to do anything other than make a glorified rolling log file if it knows you have the Apple cloud backup enabled, it simply waits for the file to get downloaded to apple’s hard drives where it can be read by not actually connecting with the phone…

Obviously there are a limited number of things you can do, but they may well not cover all the tricks a knowledgeable app writter might do.

So at the end of the day you can,

1, live with things the way they are.
2, take limited software steps to find and remove the spyware.
3, get out the craft knife and soldering iron and so brain surgery on the phone.
4, find a non smart phone that does not have GPS or GPS you can neuter, and a battery you can remove.
5, as an extension to 3, start getting creative with antennas.

But to be frank my recomendation for the majority would be 4.

There are a few other things you could do, but at the end of the day most people will muck up their OpSec and it will be game over.